52 Things: Number 11: What are the DLP, CDH and DDH problems?
52 Things: Number 11: What are the DLP, CDH and DDH problems?
52 件事: 数字 11:DLP、CDH 和 DDH 问题是什么?
This is the latest in a series of blog posts to address the list of '52 Things Every PhD Student Should Know To Do Cryptography': a set of questions compiled to give PhD candidates a sense of what they should know by the end of their first year. This blog is the second in the section on Mathematical Background and concerns how group operations can be used to design cryptographic primitives.
这是一系列博客文章中的最新一篇,旨在解决“每个博士生都应该知道的 52 件事来做密码学”列表:一组问题汇编,让博士生在第一年结束时了解他们应该知道什么。这篇博客是数学背景部分的第二篇,涉及如何使用组操作来设计加密基元。
As you probably know by now, cryptography often relies on 'hard problems'. That is, we design cryptographic protocols whose security can be proven if we assume that the adversary is unable to solve a certain (mathematical) problem in a reasonable amount of time. This blog post introduces three such problems which are widely used in security proofs. Luckily for me, a) this is really just Group Theory, not Computer Science and b) just two days before writing this I attended a very decent guest lecture by fellow Bristol Crypto researcher Susan Thomson on this exact topic. (That is to say, any inaccuracies in the following can and should be blamed on her!)
正如您现在可能知道的那样,密码学通常依赖于“难题”。也就是说,我们设计了加密协议,如果我们假设对手无法在合理的时间内解决某个(数学)问题,则可以证明其安全性。这篇博文介绍了三个在安全证明中广泛使用的问题。幸运的是,a)这真的只是群论,而不是计算机科学,b)就在写这篇文章的前两天,我参加了布里斯托尔加密研究员Susan Thomson关于这个确切主题的非常体面的客座讲座。(也就是说,以下任何不准确之处都可以而且应该归咎于她!
The Discrete Logarithm Problem (DLP)
离散对数问题 (DLP)
Okay, let <span id="MathJax-Span-2" class="mrow"><span id="MathJax-Span-3" class="mi">G be an abelian group. First we write the operation in <span id="MathJax-Span-5" class="mrow"><span id="MathJax-Span-6" class="mi">G multiplicatively. For any <span id="MathJax-Span-8" class="mrow"><span id="MathJax-Span-9" class="mi">g<span id="MathJax-Span-10" class="mo">∈<span id="MathJax-Span-11" class="mi">G and any integer <span id="MathJax-Span-13" class="mrow"><span id="MathJax-Span-14" class="mi">a<span id="MathJax-Span-15" class="mo">><span id="MathJax-Span-16" class="mn">1 let <span id="MathJax-Span-18" class="mrow"><span id="MathJax-Span-19" class="msubsup"><span id="MathJax-Span-20" class="mi">g<span id="MathJax-Span-21" class="mi">a denote <span id="MathJax-Span-23" class="mrow"><span id="MathJax-Span-24" class="mi">g<span id="MathJax-Span-25" class="mo">∗<span id="MathJax-Span-26" class="mi">g<span id="MathJax-Span-27" class="mo">∗<span id="MathJax-Span-28" class="mo">.<span id="MathJax-Span-29" class="mo">.<span id="MathJax-Span-30" class="mo">.<span id="MathJax-Span-31" class="mo">∗<span id="MathJax-Span-32" class="mi">g with <span id="MathJax-Span-34" class="mrow"><span id="MathJax-Span-35" class="mi">a occurrences of <span id="MathJax-Span-37" class="mrow"><span id="MathJax-Span-38" class="mi">g. The discrete logarithm problem (DLP) is:
好吧,让我们 <span id="MathJax-Span-2" class="mrow"><span id="MathJax-Span-3" class="mi">G 成为一个阿贝尔小组。首先,我们 <span id="MathJax-Span-5" class="mrow"><span id="MathJax-Span-6" class="mi">G 用乘法写入运算。对于任何 <span id="MathJax-Span-8" class="mrow"><span id="MathJax-Span-9" class="mi">g<span id="MathJax-Span-10" class="mo">∈<span id="MathJax-Span-11" class="mi">G 和任意整数, <span id="MathJax-Span-13" class="mrow"><span id="MathJax-Span-14" class="mi">a<span id="MathJax-Span-15" class="mo">><span id="MathJax-Span-16" class="mn">1 请 <span id="MathJax-Span-18" class="mrow"><span id="MathJax-Span-19" class="msubsup"><span id="MathJax-Span-20" class="mi">g<span id="MathJax-Span-21" class="mi">a 用 <span id="MathJax-Span-34" class="mrow"><span id="MathJax-Span-35" class="mi">a 的 <span id="MathJax-Span-37" class="mrow"><span id="MathJax-Span-38" class="mi">g 出现次数表示 <span id="MathJax-Span-23" class="mrow"><span id="MathJax-Span-24" class="mi">g<span id="MathJax-Span-25" class="mo">∗<span id="MathJax-Span-26" class="mi">g<span id="MathJax-Span-27" class="mo">∗<span id="MathJax-Span-28" class="mo">.<span id="MathJax-Span-29" class="mo">.<span id="MathJax-Span-30" class="mo">.<span id="MathJax-Span-31" class="mo">∗<span id="MathJax-Span-32" class="mi">g 。离散对数问题 (DLP) 为:
Here <span id="MathJax-Span-56" class="mrow"><span id="MathJax-Span-57" class="mi">a is called the discrete logarithm of <span id="MathJax-Span-59" class="mrow"><span id="MathJax-Span-60" class="mi">h with base <span id="MathJax-Span-62" class="mrow"><span id="MathJax-Span-63" class="mi">g, hence the name of the problem.
这里 <span id="MathJax-Span-56" class="mrow"><span id="MathJax-Span-57" class="mi">a 称为 <span id="MathJax-Span-59" class="mrow"><span id="MathJax-Span-60" class="mi">h 的离散对数 <span id="MathJax-Span-62" class="mrow"><span id="MathJax-Span-63" class="mi">g ,因此问题的名称。
Is the discrete logarithm problem hard? Sometimes, maybe. As a counter-example, let <span id="MathJax-Span-65" class="mrow"><span id="MathJax-Span-66" class="mi">G be the integers under addition. So now it makes sense to write the group operation additively, not multiplicatively. So the same process of repeating the group operation with the same element <span id="MathJax-Span-68" class="mrow"><span id="MathJax-Span-69" class="mi">g is now written <span id="MathJax-Span-71" class="mrow"><span id="MathJax-Span-72" class="mi">g<span id="MathJax-Span-73" class="mo">+<span id="MathJax-Span-74" class="mi">g<span id="MathJax-Span-75" class="mo">+<span id="MathJax-Span-76" class="mo">.<span id="MathJax-Span-77" class="mo">.<span id="MathJax-Span-78" class="mo">.<span id="MathJax-Span-79" class="mo">+<span id="MathJax-Span-80" class="mi">g with, say, <span id="MathJax-Span-82" class="mrow"><span id="MathJax-Span-83" class="mi">a summands and, since we're working in the integers, this sum, call it <span id="MathJax-Span-85" class="mrow"><span id="MathJax-Span-86" class="mi">h, is just equal to the integer <span id="MathJax-Span-88" class="mrow"><span id="MathJax-Span-89" class="mi">a<span id="MathJax-Span-90" class="mi">g. Therefore <span id="MathJax-Span-92" class="mrow"><span id="MathJax-Span-93" class="mi">a, the discrete logarithm of <span id="MathJax-Span-95" class="mrow"><span id="MathJax-Span-96" class="mi">h to the base <span id="MathJax-Span-98" class="mrow"><span id="MathJax-Span-99" class="mi">g, can be found by just dividing <span id="MathJax-Span-101" class="mrow"><span id="MathJax-Span-102" class="mi">h by <span id="MathJax-Span-104" class="mrow"><span id="MathJax-Span-105" class="mi">g. For example, if I say to you, "find the discrete logarithm to the base 3 of 18 in the integers under addition", you'd just write <span id="MathJax-Span-107" class="mrow"><span id="MathJax-Span-108" class="mn">3<span id="MathJax-Span-109" class="mo">+<span id="MathJax-Span-110" class="mn">3<span id="MathJax-Span-111" class="mo">+<span id="MathJax-Span-112" class="mo">.<span id="MathJax-Span-113" class="mo">.<span id="MathJax-Span-114" class="mo">.<span id="MathJax-Span-115" class="mo">+<span id="MathJax-Span-116" class="mn">3<span id="MathJax-Span-117" class="mo">=<span id="MathJax-Span-118" class="mn">18 with <span id="MathJax-Span-120" class="mrow"><span id="MathJax-Span-121" class="mi">a summands on the left, simplify this to <span id="MathJax-Span-123" class="mrow"><span id="MathJax-Span-124" class="mn">3<span id="MathJax-Span-125" class="mi">a<span id="MathJax-Span-126" class="mo">=<span id="MathJax-Span-127" class="mn">18 and find that <span id="MathJax-Span-129" class="mrow"><span id="MathJax-Span-130" class="mi">a<span id="MathJax-Span-131" class="mo">=<span id="MathJax-Span-132" class="mn">6. I could change the group to integers modulo <span id="MathJax-Span-134" class="mrow"><span id="MathJax-Span-135" class="mi">N for some integer <span id="MathJax-Span-137" class="mrow"><span id="MathJax-Span-138" class="mi">N<span id="MathJax-Span-139" class="mo">><span id="MathJax-Span-140" class="mn">1 (still under addition) but the problem wouldn't be much harder: one has to solve an equation like <span id="MathJax-Span-142" class="mrow"><span id="MathJax-Span-143" class="mi">a<span id="MathJax-Span-144" class="mi">g<span id="MathJax-Span-145" class="mo">≡<span id="MathJax-Span-146" class="mi">h<span id="MathJax-Span-147" class="mspace"><span id="MathJax-Span-148" class="mo">(<span id="MathJax-Span-149" class="texatom"><span id="MathJax-Span-150" class="mrow"><span id="MathJax-Span-151" class="mi">m<span id="MathJax-Span-152" class="mi">o<span id="MathJax-Span-153" class="mi">d<span id="MathJax-Span-154" class="mspace"><span id="MathJax-Span-155" class="mi">N<span id="MathJax-Span-156" class="mo">) which is solved by performing the Extended Euclidean Algorithm to find <span id="MathJax-Span-158" class="mrow"><span id="MathJax-Span-159" class="msubsup"><span id="MathJax-Span-160" class="mi">g<span id="MathJax-Span-161" class="texatom"><span id="MathJax-Span-162" class="mrow"><span id="MathJax-Span-163" class="mo">−<span id="MathJax-Span-164" class="mn">1<span id="MathJax-Span-165" class="mspace"><span id="MathJax-Span-166" class="mo">(<span id="MathJax-Span-167" class="texatom"><span id="MathJax-Span-168" class="mrow"><span id="MathJax-Span-169" class="mi">m<span id="MathJax-Span-170" class="mi">o<span id="MathJax-Span-171" class="mi">d<span id="MathJax-Span-172" class="mspace"><span id="MathJax-Span-173" class="mi">N<span id="MathJax-Span-174" class="mo">) (if it exists), multiplying this by <span id="MathJax-Span-176" class="mrow"><span id="MathJax-Span-177" class="mi">h and reducing modulo <span id="MathJax-Span-179" class="mrow"><span id="MathJax-Span-180" class="mi">N to obtain <span id="MathJax-Span-182" class="mrow"><span id="MathJax-Span-183" class="mi">a. All of this is can be done in polynomial time - no good for building secure cryptographic primitives.
离散对数问题难吗?有时,也许。作为反例,假设 <span id="MathJax-Span-65" class="mrow"><span id="MathJax-Span-66" class="mi">G 是加法下的整数。因此,现在以加法而不是乘法方式编写组运算是有意义的。因此,现在用 summands 编写了使用相同元素 <span id="MathJax-Span-68" class="mrow"><span id="MathJax-Span-69" class="mi">g 重复组运算的相同过程,并且由于我们在整数中工作,因此这个总和(称为 <span id="MathJax-Span-85" class="mrow"><span id="MathJax-Span-86" class="mi">h )刚好等于整数 <span id="MathJax-Span-88" class="mrow"><span id="MathJax-Span-89" class="mi">a<span id="MathJax-Span-90" class="mi">g 。 <span id="MathJax-Span-71" class="mrow"><span id="MathJax-Span-72" class="mi">g<span id="MathJax-Span-73" class="mo">+<span id="MathJax-Span-74" class="mi">g<span id="MathJax-Span-75" class="mo">+<span id="MathJax-Span-76" class="mo">.<span id="MathJax-Span-77" class="mo">.<span id="MathJax-Span-78" class="mo">.<span id="MathJax-Span-79" class="mo">+<span id="MathJax-Span-80" class="mi">g <span id="MathJax-Span-82" class="mrow"><span id="MathJax-Span-83" class="mi">a 因此 <span id="MathJax-Span-92" class="mrow"><span id="MathJax-Span-93" class="mi">a ,底的 <span id="MathJax-Span-95" class="mrow"><span id="MathJax-Span-96" class="mi">h 离散对数 <span id="MathJax-Span-98" class="mrow"><span id="MathJax-Span-99" class="mi">g 可以通过 <span id="MathJax-Span-101" class="mrow"><span id="MathJax-Span-102" class="mi">h 除以 <span id="MathJax-Span-104" class="mrow"><span id="MathJax-Span-105" class="mi">g 得到。例如,如果我对你说,“在加法下的整数中找到以 3 的 18 为底的离散对数”,你只需在左边 <span id="MathJax-Span-107" class="mrow"><span id="MathJax-Span-108" class="mn">3<span id="MathJax-Span-109" class="mo">+<span id="MathJax-Span-110" class="mn">3<span id="MathJax-Span-111" class="mo">+<span id="MathJax-Span-112" class="mo">.<span id="MathJax-Span-113" class="mo">.<span id="MathJax-Span-114" class="mo">.<span id="MathJax-Span-115" class="mo">+<span id="MathJax-Span-116" class="mn">3<span id="MathJax-Span-117" class="mo">=<span id="MathJax-Span-118" class="mn">18 写 <span id="MathJax-Span-120" class="mrow"><span id="MathJax-Span-121" class="mi">a 求和,将其简化为 <span id="MathJax-Span-123" class="mrow"><span id="MathJax-Span-124" class="mn">3<span id="MathJax-Span-125" class="mi">a<span id="MathJax-Span-126" class="mo">=<span id="MathJax-Span-127" class="mn">18 并找到 <span id="MathJax-Span-129" class="mrow"><span id="MathJax-Span-130" class="mi">a<span id="MathJax-Span-131" class="mo">=<span id="MathJax-Span-132" class="mn">6 .对于某些整数(仍在加法中),我可以将该组更改为整数模 <span id="MathJax-Span-134" class="mrow"><span id="MathJax-Span-135" class="mi">N ,但问题不会更难:必须求解一个方程,例如 <span id="MathJax-Span-142" class="mrow"><span id="MathJax-Span-143" class="mi">a<span id="MathJax-Span-144" class="mi">g<span id="MathJax-Span-145" class="mo">≡<span id="MathJax-Span-146" class="mi">h<span id="MathJax-Span-147" class="mspace"><span id="MathJax-Span-148" class="mo">(<span id="MathJax-Span-149" class="texatom"><span id="MathJax-Span-150" class="mrow"><span id="MathJax-Span-151" class="mi">m<span id="MathJax-Span-152" class="mi">o<span id="MathJax-Span-153" class="mi">d<span id="MathJax-Span-154" class="mspace"><span id="MathJax-Span-155" class="mi">N<span id="MathJax-Span-156" class="mo">) 通过执行扩展欧几里得算法求解 <span id="MathJax-Span-158" class="mrow"><span id="MathJax-Span-159" class="msubsup"><span id="MathJax-Span-160" class="mi">g<span id="MathJax-Span-161" class="texatom"><span id="MathJax-Span-162" class="mrow"><span id="MathJax-Span-163" class="mo">−<span id="MathJax-Span-164" class="mn">1<span id="MathJax-Span-165" class="mspace"><span id="MathJax-Span-166" class="mo">(<span id="MathJax-Span-167" class="texatom"><span id="MathJax-Span-168" class="mrow"><span id="MathJax-Span-169" class="mi">m<span id="MathJax-Span-170" class="mi">o<span id="MathJax-Span-171" class="mi">d<span id="MathJax-Span-172" class="mspace"><span id="MathJax-Span-173" class="mi">N<span id="MathJax-Span-174" class="mo">) (如果存在),将其乘以 <span id="MathJax-Span-176" class="mrow"><span id="MathJax-Span-177" class="mi">h 并减少模 <span id="MathJax-Span-179" class="mrow"><span id="MathJax-Span-180" class="mi">N 以获得 <span id="MathJax-Span-182" class="mrow"><span id="MathJax-Span-183" class="mi">a 。 <span id="MathJax-Span-137" class="mrow"><span id="MathJax-Span-138" class="mi">N<span id="MathJax-Span-139" class="mo">><span id="MathJax-Span-140" class="mn">1 所有这些都可以在多项式时间内完成 - 对于构建安全的加密原语没有好处。
On the other hand, the DLP in a finite field of prime order viewed as a group under multiplication (after throwing out the zero element) or in elliptic curve groups (more on those next week) is believed to be hard. That is, we do not yet know of any polynomial time algorithms for finding discrete logarithms in these groups. As a concrete example, suppose I ask you, "find the discrete logarithm to the base 3 of 5 in the multiplicative group of the integers modulo 7". This means find an integer <span id="MathJax-Span-185" class="mrow"><span id="MathJax-Span-186" class="mi">a such that <span id="MathJax-Span-188" class="mrow"><span id="MathJax-Span-189" class="msubsup"><span id="MathJax-Span-190" class="mn">3<span id="MathJax-Span-191" class="mi">a<span id="MathJax-Span-192" class="mo">≡<span id="MathJax-Span-193" class="mn">5<span id="MathJax-Span-194" class="mspace"><span id="MathJax-Span-195" class="mo">(<span id="MathJax-Span-196" class="texatom"><span id="MathJax-Span-197" class="mrow"><span id="MathJax-Span-198" class="mi">m<span id="MathJax-Span-199" class="mi">o<span id="MathJax-Span-200" class="mi">d<span id="MathJax-Span-201" class="mspace"><span id="MathJax-Span-202" class="mn">7<span id="MathJax-Span-203" class="mo">). Now that we are in the multiplicative group, not the additive one and so we really do have to 'take logarithms' somehow, not just multiply by the inverse of 3. In this case, since 7 is fairly small, we can find the answer by just trying all the possibilities one at a time until we find a solution:
另一方面,在有限的素数阶域中,DLP被视为乘法组(抛出零元素后)或椭圆曲线组(下周将详细介绍)中的DLP被认为是困难的。也就是说,我们还不知道任何多项式时间算法可以在这些组中寻找离散对数。举个具体的例子,假设我问你,“在整数模 7 的乘法群中找到以 3 的 5 为底的离散对数”。这意味着找到一个整数, <span id="MathJax-Span-185" class="mrow"><span id="MathJax-Span-186" class="mi">a <span id="MathJax-Span-188" class="mrow"><span id="MathJax-Span-189" class="msubsup"><span id="MathJax-Span-190" class="mn">3<span id="MathJax-Span-191" class="mi">a<span id="MathJax-Span-192" class="mo">≡<span id="MathJax-Span-193" class="mn">5<span id="MathJax-Span-194" class="mspace"><span id="MathJax-Span-195" class="mo">(<span id="MathJax-Span-196" class="texatom"><span id="MathJax-Span-197" class="mrow"><span id="MathJax-Span-198" class="mi">m<span id="MathJax-Span-199" class="mi">o<span id="MathJax-Span-200" class="mi">d<span id="MathJax-Span-201" class="mspace"><span id="MathJax-Span-202" class="mn">7<span id="MathJax-Span-203" class="mo">) 使得 .现在我们处于乘法组,而不是加法组,因此我们确实必须以某种方式“取对数”,而不仅仅是乘以 3 的倒数。在这种情况下,由于 7 相当小,我们可以通过一次尝试所有可能性来找到答案,直到我们找到解决方案:
所以 <span id="MathJax-Span-340" class="mrow"><span id="MathJax-Span-341" class="mi">a<span id="MathJax-Span-342" class="mo">=<span id="MathJax-Span-343" class="mn">5 .我们通过反复乘以 3 为底(得到 3、2、6、4 和 5)来“反弹”整数模 7 的方式应该会让您直观地了解为什么 DLP 在这种情况下看起来很困难。如果我们的素数大于 7,比如说二进制的数千位长,即使是计算机也需要很长时间才能以这种方式求解 DLP(尽管有更好的次指数时间算法,并且没有证明不存在用于求解此类组中的 DLP 的多项式时间算法)。
The Computational Diffie-Hellman Problem (CDH)
计算 Diffie-Hellman 问题 (CDH)
A problem related to DLP is named after Whit Diffie and Martin Hellman who devised a way of two parties agreeing on a secret key over a public channel without revealing it:
一个与 DLP 相关的问题以 Whit Diffie 和 Martin Hellman 的名字命名,他们设计了一种方法,让双方在不透露的情况下通过公共频道就密钥达成一致:
现在 <span id="MathJax-Span-391" class="mrow"><span id="MathJax-Span-392" class="msubsup"><span id="MathJax-Span-393" class="mi">g<span id="MathJax-Span-394" class="texatom"><span id="MathJax-Span-395" class="mrow"><span id="MathJax-Span-396" class="mi">a<span id="MathJax-Span-397" class="mi">b 是一个密钥,可用于 Alice 和 Bob 的对称加密和解密。但是有人在听交流时,他们拥有 <span id="MathJax-Span-399" class="mrow"><span id="MathJax-Span-400" class="mi">G 、 <span id="MathJax-Span-402" class="mrow"><span id="MathJax-Span-403" class="mi">g <span id="MathJax-Span-405" class="mrow"><span id="MathJax-Span-406" class="msubsup"><span id="MathJax-Span-407" class="mi">g<span id="MathJax-Span-408" class="mi">a 和 <span id="MathJax-Span-410" class="mrow"><span id="MathJax-Span-411" class="msubsup"><span id="MathJax-Span-412" class="mi">g<span id="MathJax-Span-413" class="mi">b 。因此,密钥 <span id="MathJax-Span-415" class="mrow"><span id="MathJax-Span-416" class="msubsup"><span id="MathJax-Span-417" class="mi">g<span id="MathJax-Span-418" class="texatom"><span id="MathJax-Span-419" class="mrow"><span id="MathJax-Span-420" class="mi">a<span id="MathJax-Span-421" class="mi">b 的保密性取决于这个问题,称为计算 Diffie-Hellman 问题 (CDH):
CDH is clearly related to DLP, but which is harder? Well, if I can solve DLP then I can efficiently compute the secret integer <span id="MathJax-Span-447" class="mrow"><span id="MathJax-Span-448" class="mi">a from <span id="MathJax-Span-450" class="mrow"><span id="MathJax-Span-451" class="msubsup"><span id="MathJax-Span-452" class="mi">g<span id="MathJax-Span-453" class="mi">a and then find <span id="MathJax-Span-455" class="mrow"><span id="MathJax-Span-456" class="msubsup"><span id="MathJax-Span-457" class="mi">g<span id="MathJax-Span-458" class="texatom"><span id="MathJax-Span-459" class="mrow"><span id="MathJax-Span-460" class="mi">a<span id="MathJax-Span-461" class="mi">b by raising <span id="MathJax-Span-463" class="mrow"><span id="MathJax-Span-464" class="msubsup"><span id="MathJax-Span-465" class="mi">g<span id="MathJax-Span-466" class="texatom"><span id="MathJax-Span-467" class="mrow"><span id="MathJax-Span-468" class="mi">b to the power <span id="MathJax-Span-470" class="mrow"><span id="MathJax-Span-471" class="mi">a in the same way Alice does, therefore solving CDH. So anyone who can solve DLP can also solve CDH, meaning DLP is at least as hard as CDH.
CDH 显然与 DLP 有关,但哪个更难?好吧,如果我能解决 DLP,那么我就可以有效地 <span id="MathJax-Span-447" class="mrow"><span id="MathJax-Span-448" class="mi">a 计算秘密整数, <span id="MathJax-Span-450" class="mrow"><span id="MathJax-Span-451" class="msubsup"><span id="MathJax-Span-452" class="mi">g<span id="MathJax-Span-453" class="mi">a 然后以与 Alice 相同的方式通过提高到 <span id="MathJax-Span-463" class="mrow"><span id="MathJax-Span-464" class="msubsup"><span id="MathJax-Span-465" class="mi">g<span id="MathJax-Span-466" class="texatom"><span id="MathJax-Span-467" class="mrow"><span id="MathJax-Span-468" class="mi">b 幂 <span id="MathJax-Span-470" class="mrow"><span id="MathJax-Span-471" class="mi">a 来找到 <span id="MathJax-Span-455" class="mrow"><span id="MathJax-Span-456" class="msubsup"><span id="MathJax-Span-457" class="mi">g<span id="MathJax-Span-458" class="texatom"><span id="MathJax-Span-459" class="mrow"><span id="MathJax-Span-460" class="mi">a<span id="MathJax-Span-461" class="mi">b ,从而解决 CDH。所以任何能解决DLP的人也可以解决CDH,这意味着DLP至少和CDH一样难。
The Decisional Diffie-Hellman Problem (DDH)
决策 Diffie-Hellman 问题 (DDH)
This is another 'discrete logarithm' style problem used to prove indistinguishability properties. Say Alice and Bob perform the Diffie-Hellman key agreement protocol as above so that <span id="MathJax-Span-473" class="mrow"><span id="MathJax-Span-474" class="mi">G, <span id="MathJax-Span-476" class="mrow"><span id="MathJax-Span-477" class="mi">g, <span id="MathJax-Span-479" class="mrow"><span id="MathJax-Span-480" class="msubsup"><span id="MathJax-Span-481" class="mi">g<span id="MathJax-Span-482" class="mi">a and <span id="MathJax-Span-484" class="mrow"><span id="MathJax-Span-485" class="msubsup"><span id="MathJax-Span-486" class="mi">g<span id="MathJax-Span-487" class="mi">b are all public and <span id="MathJax-Span-489" class="mrow"><span id="MathJax-Span-490" class="msubsup"><span id="MathJax-Span-491" class="mi">g<span id="MathJax-Span-492" class="texatom"><span id="MathJax-Span-493" class="mrow"><span id="MathJax-Span-494" class="mi">a<span id="MathJax-Span-495" class="mi">b is the shared secret key. Intuitively, the Decisional Diffie-Hellman Problem (DDH) asks whether an adversary can distinguish Alice and Bob's secret key <span id="MathJax-Span-497" class="mrow"><span id="MathJax-Span-498" class="msubsup"><span id="MathJax-Span-499" class="mi">g<span id="MathJax-Span-500" class="texatom"><span id="MathJax-Span-501" class="mrow"><span id="MathJax-Span-502" class="mi">a<span id="MathJax-Span-503" class="mi">b from a random group element of <span id="MathJax-Span-505" class="mrow"><span id="MathJax-Span-506" class="mi">G. Formally:
这是另一个“离散对数”风格的问题,用于证明不可区分性。假设 Alice 和 Bob 执行如上所述的 Diffie-Hellman 密钥协议,因此 <span id="MathJax-Span-473" class="mrow"><span id="MathJax-Span-474" class="mi">G 、 <span id="MathJax-Span-476" class="mrow"><span id="MathJax-Span-477" class="mi">g <span id="MathJax-Span-479" class="mrow"><span id="MathJax-Span-480" class="msubsup"><span id="MathJax-Span-481" class="mi">g<span id="MathJax-Span-482" class="mi">a 和 <span id="MathJax-Span-484" class="mrow"><span id="MathJax-Span-485" class="msubsup"><span id="MathJax-Span-486" class="mi">g<span id="MathJax-Span-487" class="mi">b 都是公共的,并且是 <span id="MathJax-Span-489" class="mrow"><span id="MathJax-Span-490" class="msubsup"><span id="MathJax-Span-491" class="mi">g<span id="MathJax-Span-492" class="texatom"><span id="MathJax-Span-493" class="mrow"><span id="MathJax-Span-494" class="mi">a<span id="MathJax-Span-495" class="mi">b 共享的密钥。直观地说,决策 Diffie-Hellman 问题 (DDH) 询问对手是否可以将 Alice 和 Bob 的密钥 <span id="MathJax-Span-497" class="mrow"><span id="MathJax-Span-498" class="msubsup"><span id="MathJax-Span-499" class="mi">g<span id="MathJax-Span-500" class="texatom"><span id="MathJax-Span-501" class="mrow"><span id="MathJax-Span-502" class="mi">a<span id="MathJax-Span-503" class="mi">b 与随机 <span id="MathJax-Span-505" class="mrow"><span id="MathJax-Span-506" class="mi">G 组元素区分开来。正式:
如果攻击者可以求解 DDH(即输出概率大于 的正确值 <span id="MathJax-Span-562" class="mrow"><span id="MathJax-Span-563" class="mi">x ),那么 <span id="MathJax-Span-570" class="mrow"><span id="MathJax-Span-571" class="mi">G , <span id="MathJax-Span-573" class="mrow"><span id="MathJax-Span-574" class="mi">g <span id="MathJax-Span-576" class="mrow"><span id="MathJax-Span-577" class="msubsup"><span id="MathJax-Span-578" class="mi">g<span id="MathJax-Span-579" class="mi">a , 并且 <span id="MathJax-Span-581" class="mrow"><span id="MathJax-Span-582" class="msubsup"><span id="MathJax-Span-583" class="mi">g<span id="MathJax-Span-584" class="mi">b 必须泄露一些关于将其与随机组元素区分开来的密钥 <span id="MathJax-Span-586" class="mrow"><span id="MathJax-Span-587" class="msubsup"><span id="MathJax-Span-588" class="mi">g<span id="MathJax-Span-589" class="texatom"><span id="MathJax-Span-590" class="mrow"><span id="MathJax-Span-591" class="mi">a<span id="MathJax-Span-592" class="mi">b 的信息,即使它不能直接计算。 <span id="MathJax-Span-565" class="mrow"><span id="MathJax-Span-566" class="mfrac"><span id="MathJax-Span-567" class="mn">1<span id="MathJax-Span-568" class="mn">2 应该清楚的是,如果对手能够解决计算的 Diffie-Hellman 问题,那么他们实际上可以计算 <span id="MathJax-Span-594" class="mrow"><span id="MathJax-Span-595" class="msubsup"><span id="MathJax-Span-596" class="mi">g<span id="MathJax-Span-597" class="texatom"><span id="MathJax-Span-598" class="mrow"><span id="MathJax-Span-599" class="mi">a<span id="MathJax-Span-600" class="mi">b 并因此轻松地将该元素与随机群元素区分开来,从而解决决策 Diffie-Hellman 问题。所以任何能解决 CDH 的人也可以解决 DDH,这意味着 CDH 至少和 DDH 一样难。
These are the three problems we wanted to talk about and we've given a sketch proof of their ordering in terms of hardness: DLP is the most hard, then CDH and then DDH. As we've seen, DLP is sometimes easy, making CDH and DDH easy. So the choice of group <span id="MathJax-Span-602" class="mrow"><span id="MathJax-Span-603" class="mi">G and generator <span id="MathJax-Span-605" class="mrow"><span id="MathJax-Span-606" class="mi">g is very important when doing cryptography!
这是我们想要讨论的三个问题,我们已经给出了它们在硬度方面的排序的草图证明:DLP 是最硬的,然后是 CDH,然后是 DDH。正如我们所看到的,DLP 有时很容易,使 CDH 和 DDH 变得容易。所以在做密码学的时候,组 <span id="MathJax-Span-602" class="mrow"><span id="MathJax-Span-603" class="mi">G 和生成器 <span id="MathJax-Span-605" class="mrow"><span id="MathJax-Span-606" class="mi">g 的选择是非常重要的!
这是一系列博客文章中的最新一篇,旨在解决“每个博士生都应该知道的 52 件事来做密码学”列表:一组问题汇编,让博士生在第一年结束时了解他们应该知道什么。这篇博客是数学背景部分的第二篇,涉及如何使用组操作来设计加密基元。
As you probably know by now, cryptography often relies on 'hard problems'. That is, we design cryptographic protocols whose security can be proven if we assume that the adversary is unable to solve a certain (mathematical) problem in a reasonable amount of time. This blog post introduces three such problems which are widely used in security proofs. Luckily for me, a) this is really just Group Theory, not Computer Science and b) just two days before writing this I attended a very decent guest lecture by fellow Bristol Crypto researcher Susan Thomson on this exact topic. (That is to say, any inaccuracies in the following can and should be blamed on her!)
正如您现在可能知道的那样,密码学通常依赖于“难题”。也就是说,我们设计了加密协议,如果我们假设对手无法在合理的时间内解决某个(数学)问题,则可以证明其安全性。这篇博文介绍了三个在安全证明中广泛使用的问题。幸运的是,a)这真的只是群论,而不是计算机科学,b)就在写这篇文章的前两天,我参加了布里斯托尔加密研究员Susan Thomson关于这个确切主题的非常体面的客座讲座。(也就是说,以下任何不准确之处都可以而且应该归咎于她!
The Discrete Logarithm Problem (DLP)
离散对数问题 (DLP)
Okay, let <span id="MathJax-Span-2" class="mrow"><span id="MathJax-Span-3" class="mi">G be an abelian group. First we write the operation in <span id="MathJax-Span-5" class="mrow"><span id="MathJax-Span-6" class="mi">G multiplicatively. For any <span id="MathJax-Span-8" class="mrow"><span id="MathJax-Span-9" class="mi">g<span id="MathJax-Span-10" class="mo">∈<span id="MathJax-Span-11" class="mi">G and any integer <span id="MathJax-Span-13" class="mrow"><span id="MathJax-Span-14" class="mi">a<span id="MathJax-Span-15" class="mo">><span id="MathJax-Span-16" class="mn">1 let <span id="MathJax-Span-18" class="mrow"><span id="MathJax-Span-19" class="msubsup"><span id="MathJax-Span-20" class="mi">g<span id="MathJax-Span-21" class="mi">a denote <span id="MathJax-Span-23" class="mrow"><span id="MathJax-Span-24" class="mi">g<span id="MathJax-Span-25" class="mo">∗<span id="MathJax-Span-26" class="mi">g<span id="MathJax-Span-27" class="mo">∗<span id="MathJax-Span-28" class="mo">.<span id="MathJax-Span-29" class="mo">.<span id="MathJax-Span-30" class="mo">.<span id="MathJax-Span-31" class="mo">∗<span id="MathJax-Span-32" class="mi">g with <span id="MathJax-Span-34" class="mrow"><span id="MathJax-Span-35" class="mi">a occurrences of <span id="MathJax-Span-37" class="mrow"><span id="MathJax-Span-38" class="mi">g. The discrete logarithm problem (DLP) is:
好吧,让我们 <span id="MathJax-Span-2" class="mrow"><span id="MathJax-Span-3" class="mi">G 成为一个阿贝尔小组。首先,我们 <span id="MathJax-Span-5" class="mrow"><span id="MathJax-Span-6" class="mi">G 用乘法写入运算。对于任何 <span id="MathJax-Span-8" class="mrow"><span id="MathJax-Span-9" class="mi">g<span id="MathJax-Span-10" class="mo">∈<span id="MathJax-Span-11" class="mi">G 和任意整数, <span id="MathJax-Span-13" class="mrow"><span id="MathJax-Span-14" class="mi">a<span id="MathJax-Span-15" class="mo">><span id="MathJax-Span-16" class="mn">1 请 <span id="MathJax-Span-18" class="mrow"><span id="MathJax-Span-19" class="msubsup"><span id="MathJax-Span-20" class="mi">g<span id="MathJax-Span-21" class="mi">a 用 <span id="MathJax-Span-34" class="mrow"><span id="MathJax-Span-35" class="mi">a 的 <span id="MathJax-Span-37" class="mrow"><span id="MathJax-Span-38" class="mi">g 出现次数表示 <span id="MathJax-Span-23" class="mrow"><span id="MathJax-Span-24" class="mi">g<span id="MathJax-Span-25" class="mo">∗<span id="MathJax-Span-26" class="mi">g<span id="MathJax-Span-27" class="mo">∗<span id="MathJax-Span-28" class="mo">.<span id="MathJax-Span-29" class="mo">.<span id="MathJax-Span-30" class="mo">.<span id="MathJax-Span-31" class="mo">∗<span id="MathJax-Span-32" class="mi">g 。离散对数问题 (DLP) 为:
Given <span id="MathJax-Span-40" class="mrow"><span id="MathJax-Span-41" class="mi">G, <span id="MathJax-Span-43" class="mrow"><span id="MathJax-Span-44" class="mi">g and <span id="MathJax-Span-46" class="mrow"><span id="MathJax-Span-47" class="mi">h<span id="MathJax-Span-48" class="mo">=<span id="MathJax-Span-49" class="msubsup"><span id="MathJax-Span-50" class="mi">g<span id="MathJax-Span-51" class="mi">a, find <span id="MathJax-Span-53" class="mrow"><span id="MathJax-Span-54" class="mi">a.
给定 <span id="MathJax-Span-40" class="mrow"><span id="MathJax-Span-41" class="mi">G 和 <span id="MathJax-Span-43" class="mrow"><span id="MathJax-Span-44" class="mi">g <span id="MathJax-Span-46" class="mrow"><span id="MathJax-Span-47" class="mi">h<span id="MathJax-Span-48" class="mo">=<span id="MathJax-Span-49" class="msubsup"><span id="MathJax-Span-50" class="mi">g<span id="MathJax-Span-51" class="mi">a ,找到 <span id="MathJax-Span-53" class="mrow"><span id="MathJax-Span-54" class="mi">a 。
给定 <span id="MathJax-Span-40" class="mrow"><span id="MathJax-Span-41" class="mi">G 和 <span id="MathJax-Span-43" class="mrow"><span id="MathJax-Span-44" class="mi">g <span id="MathJax-Span-46" class="mrow"><span id="MathJax-Span-47" class="mi">h<span id="MathJax-Span-48" class="mo">=<span id="MathJax-Span-49" class="msubsup"><span id="MathJax-Span-50" class="mi">g<span id="MathJax-Span-51" class="mi">a ,找到 <span id="MathJax-Span-53" class="mrow"><span id="MathJax-Span-54" class="mi">a 。
Here <span id="MathJax-Span-56" class="mrow"><span id="MathJax-Span-57" class="mi">a is called the discrete logarithm of <span id="MathJax-Span-59" class="mrow"><span id="MathJax-Span-60" class="mi">h with base <span id="MathJax-Span-62" class="mrow"><span id="MathJax-Span-63" class="mi">g, hence the name of the problem.
这里 <span id="MathJax-Span-56" class="mrow"><span id="MathJax-Span-57" class="mi">a 称为 <span id="MathJax-Span-59" class="mrow"><span id="MathJax-Span-60" class="mi">h 的离散对数 <span id="MathJax-Span-62" class="mrow"><span id="MathJax-Span-63" class="mi">g ,因此问题的名称。
Is the discrete logarithm problem hard? Sometimes, maybe. As a counter-example, let <span id="MathJax-Span-65" class="mrow"><span id="MathJax-Span-66" class="mi">G be the integers under addition. So now it makes sense to write the group operation additively, not multiplicatively. So the same process of repeating the group operation with the same element <span id="MathJax-Span-68" class="mrow"><span id="MathJax-Span-69" class="mi">g is now written <span id="MathJax-Span-71" class="mrow"><span id="MathJax-Span-72" class="mi">g<span id="MathJax-Span-73" class="mo">+<span id="MathJax-Span-74" class="mi">g<span id="MathJax-Span-75" class="mo">+<span id="MathJax-Span-76" class="mo">.<span id="MathJax-Span-77" class="mo">.<span id="MathJax-Span-78" class="mo">.<span id="MathJax-Span-79" class="mo">+<span id="MathJax-Span-80" class="mi">g with, say, <span id="MathJax-Span-82" class="mrow"><span id="MathJax-Span-83" class="mi">a summands and, since we're working in the integers, this sum, call it <span id="MathJax-Span-85" class="mrow"><span id="MathJax-Span-86" class="mi">h, is just equal to the integer <span id="MathJax-Span-88" class="mrow"><span id="MathJax-Span-89" class="mi">a<span id="MathJax-Span-90" class="mi">g. Therefore <span id="MathJax-Span-92" class="mrow"><span id="MathJax-Span-93" class="mi">a, the discrete logarithm of <span id="MathJax-Span-95" class="mrow"><span id="MathJax-Span-96" class="mi">h to the base <span id="MathJax-Span-98" class="mrow"><span id="MathJax-Span-99" class="mi">g, can be found by just dividing <span id="MathJax-Span-101" class="mrow"><span id="MathJax-Span-102" class="mi">h by <span id="MathJax-Span-104" class="mrow"><span id="MathJax-Span-105" class="mi">g. For example, if I say to you, "find the discrete logarithm to the base 3 of 18 in the integers under addition", you'd just write <span id="MathJax-Span-107" class="mrow"><span id="MathJax-Span-108" class="mn">3<span id="MathJax-Span-109" class="mo">+<span id="MathJax-Span-110" class="mn">3<span id="MathJax-Span-111" class="mo">+<span id="MathJax-Span-112" class="mo">.<span id="MathJax-Span-113" class="mo">.<span id="MathJax-Span-114" class="mo">.<span id="MathJax-Span-115" class="mo">+<span id="MathJax-Span-116" class="mn">3<span id="MathJax-Span-117" class="mo">=<span id="MathJax-Span-118" class="mn">18 with <span id="MathJax-Span-120" class="mrow"><span id="MathJax-Span-121" class="mi">a summands on the left, simplify this to <span id="MathJax-Span-123" class="mrow"><span id="MathJax-Span-124" class="mn">3<span id="MathJax-Span-125" class="mi">a<span id="MathJax-Span-126" class="mo">=<span id="MathJax-Span-127" class="mn">18 and find that <span id="MathJax-Span-129" class="mrow"><span id="MathJax-Span-130" class="mi">a<span id="MathJax-Span-131" class="mo">=<span id="MathJax-Span-132" class="mn">6. I could change the group to integers modulo <span id="MathJax-Span-134" class="mrow"><span id="MathJax-Span-135" class="mi">N for some integer <span id="MathJax-Span-137" class="mrow"><span id="MathJax-Span-138" class="mi">N<span id="MathJax-Span-139" class="mo">><span id="MathJax-Span-140" class="mn">1 (still under addition) but the problem wouldn't be much harder: one has to solve an equation like <span id="MathJax-Span-142" class="mrow"><span id="MathJax-Span-143" class="mi">a<span id="MathJax-Span-144" class="mi">g<span id="MathJax-Span-145" class="mo">≡<span id="MathJax-Span-146" class="mi">h<span id="MathJax-Span-147" class="mspace"><span id="MathJax-Span-148" class="mo">(<span id="MathJax-Span-149" class="texatom"><span id="MathJax-Span-150" class="mrow"><span id="MathJax-Span-151" class="mi">m<span id="MathJax-Span-152" class="mi">o<span id="MathJax-Span-153" class="mi">d<span id="MathJax-Span-154" class="mspace"><span id="MathJax-Span-155" class="mi">N<span id="MathJax-Span-156" class="mo">) which is solved by performing the Extended Euclidean Algorithm to find <span id="MathJax-Span-158" class="mrow"><span id="MathJax-Span-159" class="msubsup"><span id="MathJax-Span-160" class="mi">g<span id="MathJax-Span-161" class="texatom"><span id="MathJax-Span-162" class="mrow"><span id="MathJax-Span-163" class="mo">−<span id="MathJax-Span-164" class="mn">1<span id="MathJax-Span-165" class="mspace"><span id="MathJax-Span-166" class="mo">(<span id="MathJax-Span-167" class="texatom"><span id="MathJax-Span-168" class="mrow"><span id="MathJax-Span-169" class="mi">m<span id="MathJax-Span-170" class="mi">o<span id="MathJax-Span-171" class="mi">d<span id="MathJax-Span-172" class="mspace"><span id="MathJax-Span-173" class="mi">N<span id="MathJax-Span-174" class="mo">) (if it exists), multiplying this by <span id="MathJax-Span-176" class="mrow"><span id="MathJax-Span-177" class="mi">h and reducing modulo <span id="MathJax-Span-179" class="mrow"><span id="MathJax-Span-180" class="mi">N to obtain <span id="MathJax-Span-182" class="mrow"><span id="MathJax-Span-183" class="mi">a. All of this is can be done in polynomial time - no good for building secure cryptographic primitives.
离散对数问题难吗?有时,也许。作为反例,假设 <span id="MathJax-Span-65" class="mrow"><span id="MathJax-Span-66" class="mi">G 是加法下的整数。因此,现在以加法而不是乘法方式编写组运算是有意义的。因此,现在用 summands 编写了使用相同元素 <span id="MathJax-Span-68" class="mrow"><span id="MathJax-Span-69" class="mi">g 重复组运算的相同过程,并且由于我们在整数中工作,因此这个总和(称为 <span id="MathJax-Span-85" class="mrow"><span id="MathJax-Span-86" class="mi">h )刚好等于整数 <span id="MathJax-Span-88" class="mrow"><span id="MathJax-Span-89" class="mi">a<span id="MathJax-Span-90" class="mi">g 。 <span id="MathJax-Span-71" class="mrow"><span id="MathJax-Span-72" class="mi">g<span id="MathJax-Span-73" class="mo">+<span id="MathJax-Span-74" class="mi">g<span id="MathJax-Span-75" class="mo">+<span id="MathJax-Span-76" class="mo">.<span id="MathJax-Span-77" class="mo">.<span id="MathJax-Span-78" class="mo">.<span id="MathJax-Span-79" class="mo">+<span id="MathJax-Span-80" class="mi">g <span id="MathJax-Span-82" class="mrow"><span id="MathJax-Span-83" class="mi">a 因此 <span id="MathJax-Span-92" class="mrow"><span id="MathJax-Span-93" class="mi">a ,底的 <span id="MathJax-Span-95" class="mrow"><span id="MathJax-Span-96" class="mi">h 离散对数 <span id="MathJax-Span-98" class="mrow"><span id="MathJax-Span-99" class="mi">g 可以通过 <span id="MathJax-Span-101" class="mrow"><span id="MathJax-Span-102" class="mi">h 除以 <span id="MathJax-Span-104" class="mrow"><span id="MathJax-Span-105" class="mi">g 得到。例如,如果我对你说,“在加法下的整数中找到以 3 的 18 为底的离散对数”,你只需在左边 <span id="MathJax-Span-107" class="mrow"><span id="MathJax-Span-108" class="mn">3<span id="MathJax-Span-109" class="mo">+<span id="MathJax-Span-110" class="mn">3<span id="MathJax-Span-111" class="mo">+<span id="MathJax-Span-112" class="mo">.<span id="MathJax-Span-113" class="mo">.<span id="MathJax-Span-114" class="mo">.<span id="MathJax-Span-115" class="mo">+<span id="MathJax-Span-116" class="mn">3<span id="MathJax-Span-117" class="mo">=<span id="MathJax-Span-118" class="mn">18 写 <span id="MathJax-Span-120" class="mrow"><span id="MathJax-Span-121" class="mi">a 求和,将其简化为 <span id="MathJax-Span-123" class="mrow"><span id="MathJax-Span-124" class="mn">3<span id="MathJax-Span-125" class="mi">a<span id="MathJax-Span-126" class="mo">=<span id="MathJax-Span-127" class="mn">18 并找到 <span id="MathJax-Span-129" class="mrow"><span id="MathJax-Span-130" class="mi">a<span id="MathJax-Span-131" class="mo">=<span id="MathJax-Span-132" class="mn">6 .对于某些整数(仍在加法中),我可以将该组更改为整数模 <span id="MathJax-Span-134" class="mrow"><span id="MathJax-Span-135" class="mi">N ,但问题不会更难:必须求解一个方程,例如 <span id="MathJax-Span-142" class="mrow"><span id="MathJax-Span-143" class="mi">a<span id="MathJax-Span-144" class="mi">g<span id="MathJax-Span-145" class="mo">≡<span id="MathJax-Span-146" class="mi">h<span id="MathJax-Span-147" class="mspace"><span id="MathJax-Span-148" class="mo">(<span id="MathJax-Span-149" class="texatom"><span id="MathJax-Span-150" class="mrow"><span id="MathJax-Span-151" class="mi">m<span id="MathJax-Span-152" class="mi">o<span id="MathJax-Span-153" class="mi">d<span id="MathJax-Span-154" class="mspace"><span id="MathJax-Span-155" class="mi">N<span id="MathJax-Span-156" class="mo">) 通过执行扩展欧几里得算法求解 <span id="MathJax-Span-158" class="mrow"><span id="MathJax-Span-159" class="msubsup"><span id="MathJax-Span-160" class="mi">g<span id="MathJax-Span-161" class="texatom"><span id="MathJax-Span-162" class="mrow"><span id="MathJax-Span-163" class="mo">−<span id="MathJax-Span-164" class="mn">1<span id="MathJax-Span-165" class="mspace"><span id="MathJax-Span-166" class="mo">(<span id="MathJax-Span-167" class="texatom"><span id="MathJax-Span-168" class="mrow"><span id="MathJax-Span-169" class="mi">m<span id="MathJax-Span-170" class="mi">o<span id="MathJax-Span-171" class="mi">d<span id="MathJax-Span-172" class="mspace"><span id="MathJax-Span-173" class="mi">N<span id="MathJax-Span-174" class="mo">) (如果存在),将其乘以 <span id="MathJax-Span-176" class="mrow"><span id="MathJax-Span-177" class="mi">h 并减少模 <span id="MathJax-Span-179" class="mrow"><span id="MathJax-Span-180" class="mi">N 以获得 <span id="MathJax-Span-182" class="mrow"><span id="MathJax-Span-183" class="mi">a 。 <span id="MathJax-Span-137" class="mrow"><span id="MathJax-Span-138" class="mi">N<span id="MathJax-Span-139" class="mo">><span id="MathJax-Span-140" class="mn">1 所有这些都可以在多项式时间内完成 - 对于构建安全的加密原语没有好处。
On the other hand, the DLP in a finite field of prime order viewed as a group under multiplication (after throwing out the zero element) or in elliptic curve groups (more on those next week) is believed to be hard. That is, we do not yet know of any polynomial time algorithms for finding discrete logarithms in these groups. As a concrete example, suppose I ask you, "find the discrete logarithm to the base 3 of 5 in the multiplicative group of the integers modulo 7". This means find an integer <span id="MathJax-Span-185" class="mrow"><span id="MathJax-Span-186" class="mi">a such that <span id="MathJax-Span-188" class="mrow"><span id="MathJax-Span-189" class="msubsup"><span id="MathJax-Span-190" class="mn">3<span id="MathJax-Span-191" class="mi">a<span id="MathJax-Span-192" class="mo">≡<span id="MathJax-Span-193" class="mn">5<span id="MathJax-Span-194" class="mspace"><span id="MathJax-Span-195" class="mo">(<span id="MathJax-Span-196" class="texatom"><span id="MathJax-Span-197" class="mrow"><span id="MathJax-Span-198" class="mi">m<span id="MathJax-Span-199" class="mi">o<span id="MathJax-Span-200" class="mi">d<span id="MathJax-Span-201" class="mspace"><span id="MathJax-Span-202" class="mn">7<span id="MathJax-Span-203" class="mo">). Now that we are in the multiplicative group, not the additive one and so we really do have to 'take logarithms' somehow, not just multiply by the inverse of 3. In this case, since 7 is fairly small, we can find the answer by just trying all the possibilities one at a time until we find a solution:
另一方面,在有限的素数阶域中,DLP被视为乘法组(抛出零元素后)或椭圆曲线组(下周将详细介绍)中的DLP被认为是困难的。也就是说,我们还不知道任何多项式时间算法可以在这些组中寻找离散对数。举个具体的例子,假设我问你,“在整数模 7 的乘法群中找到以 3 的 5 为底的离散对数”。这意味着找到一个整数, <span id="MathJax-Span-185" class="mrow"><span id="MathJax-Span-186" class="mi">a <span id="MathJax-Span-188" class="mrow"><span id="MathJax-Span-189" class="msubsup"><span id="MathJax-Span-190" class="mn">3<span id="MathJax-Span-191" class="mi">a<span id="MathJax-Span-192" class="mo">≡<span id="MathJax-Span-193" class="mn">5<span id="MathJax-Span-194" class="mspace"><span id="MathJax-Span-195" class="mo">(<span id="MathJax-Span-196" class="texatom"><span id="MathJax-Span-197" class="mrow"><span id="MathJax-Span-198" class="mi">m<span id="MathJax-Span-199" class="mi">o<span id="MathJax-Span-200" class="mi">d<span id="MathJax-Span-201" class="mspace"><span id="MathJax-Span-202" class="mn">7<span id="MathJax-Span-203" class="mo">) 使得 .现在我们处于乘法组,而不是加法组,因此我们确实必须以某种方式“取对数”,而不仅仅是乘以 3 的倒数。在这种情况下,由于 7 相当小,我们可以通过一次尝试所有可能性来找到答案,直到我们找到解决方案:
- <span id="MathJax-Span-205" class="mrow"><span id="MathJax-Span-206" class="msubsup"><span id="MathJax-Span-207" class="mn">3<span id="MathJax-Span-208" class="mn">1<span id="MathJax-Span-209" class="mo">=<span id="MathJax-Span-210" class="mn">3<span id="MathJax-Span-211" class="mo">≢<span id="MathJax-Span-212" class="mn">5<span id="MathJax-Span-213" class="mspace"><span id="MathJax-Span-214" class="mo">(<span id="MathJax-Span-215" class="texatom"><span id="MathJax-Span-216" class="mrow"><span id="MathJax-Span-217" class="mi">m<span id="MathJax-Span-218" class="mi">o<span id="MathJax-Span-219" class="mi">d<span id="MathJax-Span-220" class="mspace"><span id="MathJax-Span-221" class="mn">7<span id="MathJax-Span-222" class="mo">)
- <span id="MathJax-Span-224" class="mrow"><span id="MathJax-Span-225" class="msubsup"><span id="MathJax-Span-226" class="mn">3<span id="MathJax-Span-227" class="mn">2<span id="MathJax-Span-228" class="mo">=<span id="MathJax-Span-229" class="mn">9<span id="MathJax-Span-230" class="mo">≡<span id="MathJax-Span-231" class="mn">2<span id="MathJax-Span-232" class="mo">≢<span id="MathJax-Span-233" class="mn">5<span id="MathJax-Span-234" class="mspace"><span id="MathJax-Span-235" class="mo">(<span id="MathJax-Span-236" class="texatom"><span id="MathJax-Span-237" class="mrow"><span id="MathJax-Span-238" class="mi">m<span id="MathJax-Span-239" class="mi">o<span id="MathJax-Span-240" class="mi">d<span id="MathJax-Span-241" class="mspace"><span id="MathJax-Span-242" class="mn">7<span id="MathJax-Span-243" class="mo">)
- <span id="MathJax-Span-245" class="mrow"><span id="MathJax-Span-246" class="msubsup"><span id="MathJax-Span-247" class="mn">3<span id="MathJax-Span-248" class="mn">3<span id="MathJax-Span-249" class="mo">=<span id="MathJax-Span-250" class="mo">(<span id="MathJax-Span-251" class="msubsup"><span id="MathJax-Span-252" class="mn">3<span id="MathJax-Span-253" class="mn">2<span id="MathJax-Span-254" class="mo">)<span id="MathJax-Span-255" class="mo">×<span id="MathJax-Span-256" class="mn">3<span id="MathJax-Span-257" class="mo">≡<span id="MathJax-Span-258" class="mn">2<span id="MathJax-Span-259" class="mo">×<span id="MathJax-Span-260" class="mn">3<span id="MathJax-Span-261" class="mo">=<span id="MathJax-Span-262" class="mn">6<span id="MathJax-Span-263" class="mo">≢<span id="MathJax-Span-264" class="mn">5<span id="MathJax-Span-265" class="mspace"><span id="MathJax-Span-266" class="mo">(<span id="MathJax-Span-267" class="texatom"><span id="MathJax-Span-268" class="mrow"><span id="MathJax-Span-269" class="mi">m<span id="MathJax-Span-270" class="mi">o<span id="MathJax-Span-271" class="mi">d<span id="MathJax-Span-272" class="mspace"><span id="MathJax-Span-273" class="mn">7<span id="MathJax-Span-274" class="mo">)
- <span id="MathJax-Span-276" class="mrow"><span id="MathJax-Span-277" class="msubsup"><span id="MathJax-Span-278" class="mn">3<span id="MathJax-Span-279" class="mn">4<span id="MathJax-Span-280" class="mo">=<span id="MathJax-Span-281" class="mo">(<span id="MathJax-Span-282" class="msubsup"><span id="MathJax-Span-283" class="mn">3<span id="MathJax-Span-284" class="mn">3<span id="MathJax-Span-285" class="mo">)<span id="MathJax-Span-286" class="mo">×<span id="MathJax-Span-287" class="mn">3<span id="MathJax-Span-288" class="mo">≡<span id="MathJax-Span-289" class="mn">6<span id="MathJax-Span-290" class="mo">×<span id="MathJax-Span-291" class="mn">3<span id="MathJax-Span-292" class="mo">=<span id="MathJax-Span-293" class="mn">18<span id="MathJax-Span-294" class="mo">≡<span id="MathJax-Span-295" class="mn">4<span id="MathJax-Span-296" class="mo">≢<span id="MathJax-Span-297" class="mn">5<span id="MathJax-Span-298" class="mspace"><span id="MathJax-Span-299" class="mo">(<span id="MathJax-Span-300" class="texatom"><span id="MathJax-Span-301" class="mrow"><span id="MathJax-Span-302" class="mi">m<span id="MathJax-Span-303" class="mi">o<span id="MathJax-Span-304" class="mi">d<span id="MathJax-Span-305" class="mspace"><span id="MathJax-Span-306" class="mn">7<span id="MathJax-Span-307" class="mo">)
- <span id="MathJax-Span-309" class="mrow"><span id="MathJax-Span-310" class="msubsup"><span id="MathJax-Span-311" class="mn">3<span id="MathJax-Span-312" class="mn">5<span id="MathJax-Span-313" class="mo">=<span id="MathJax-Span-314" class="mo">(<span id="MathJax-Span-315" class="msubsup"><span id="MathJax-Span-316" class="mn">3<span id="MathJax-Span-317" class="mn">4<span id="MathJax-Span-318" class="mo">)<span id="MathJax-Span-319" class="mo">×<span id="MathJax-Span-320" class="mn">3<span id="MathJax-Span-321" class="mo">≡<span id="MathJax-Span-322" class="mn">4<span id="MathJax-Span-323" class="mo">×<span id="MathJax-Span-324" class="mn">3<span id="MathJax-Span-325" class="mo">=<span id="MathJax-Span-326" class="mn">12<span id="MathJax-Span-327" class="mo">≡<span id="MathJax-Span-328" class="mn">5<span id="MathJax-Span-329" class="mspace"><span id="MathJax-Span-330" class="mo">(<span id="MathJax-Span-331" class="texatom"><span id="MathJax-Span-332" class="mrow"><span id="MathJax-Span-333" class="mi">m<span id="MathJax-Span-334" class="mi">o<span id="MathJax-Span-335" class="mi">d<span id="MathJax-Span-336" class="mspace"><span id="MathJax-Span-337" class="mn">7<span id="MathJax-Span-338" class="mo">)
所以 <span id="MathJax-Span-340" class="mrow"><span id="MathJax-Span-341" class="mi">a<span id="MathJax-Span-342" class="mo">=<span id="MathJax-Span-343" class="mn">5 .我们通过反复乘以 3 为底(得到 3、2、6、4 和 5)来“反弹”整数模 7 的方式应该会让您直观地了解为什么 DLP 在这种情况下看起来很困难。如果我们的素数大于 7,比如说二进制的数千位长,即使是计算机也需要很长时间才能以这种方式求解 DLP(尽管有更好的次指数时间算法,并且没有证明不存在用于求解此类组中的 DLP 的多项式时间算法)。
The Computational Diffie-Hellman Problem (CDH)
计算 Diffie-Hellman 问题 (CDH)
A problem related to DLP is named after Whit Diffie and Martin Hellman who devised a way of two parties agreeing on a secret key over a public channel without revealing it:
一个与 DLP 相关的问题以 Whit Diffie 和 Martin Hellman 的名字命名,他们设计了一种方法,让双方在不透露的情况下通过公共频道就密钥达成一致:
- Alice and Bob publicly agree on a cyclic group <span id="MathJax-Span-345" class="mrow"><span id="MathJax-Span-346" class="mi">G and generator <span id="MathJax-Span-348" class="mrow"><span id="MathJax-Span-349" class="mi">g.
Alice 和 Bob 公开同意循环群 <span id="MathJax-Span-345" class="mrow"><span id="MathJax-Span-346" class="mi">G 和生成器 <span id="MathJax-Span-348" class="mrow"><span id="MathJax-Span-349" class="mi">g 。 - Alice chooses a random secret integer <span id="MathJax-Span-351" class="mrow"><span id="MathJax-Span-352" class="mi">a and Bob chooses a random secret integer <span id="MathJax-Span-354" class="mrow"><span id="MathJax-Span-355" class="mi">b.
Alice 选择一个随机秘密整数 <span id="MathJax-Span-351" class="mrow"><span id="MathJax-Span-352" class="mi">a ,Bob 选择一个随机秘密整数 <span id="MathJax-Span-354" class="mrow"><span id="MathJax-Span-355" class="mi">b 。 - Alice computes <span id="MathJax-Span-357" class="mrow"><span id="MathJax-Span-358" class="msubsup"><span id="MathJax-Span-359" class="mi">g<span id="MathJax-Span-360" class="mi">a and publicly sends this to Bob. Bob computes <span id="MathJax-Span-362" class="mrow"><span id="MathJax-Span-363" class="msubsup"><span id="MathJax-Span-364" class="mi">g<span id="MathJax-Span-365" class="mi">b and publicly sends this to Alice.
Alice 计算 <span id="MathJax-Span-357" class="mrow"><span id="MathJax-Span-358" class="msubsup"><span id="MathJax-Span-359" class="mi">g<span id="MathJax-Span-360" class="mi">a 并公开将其发送给 Bob。Bob 计算 <span id="MathJax-Span-362" class="mrow"><span id="MathJax-Span-363" class="msubsup"><span id="MathJax-Span-364" class="mi">g<span id="MathJax-Span-365" class="mi">b 并公开将其发送给 Alice。 - Alice and Bob both compute <span id="MathJax-Span-367" class="mrow"><span id="MathJax-Span-368" class="msubsup"><span id="MathJax-Span-369" class="mi">g<span id="MathJax-Span-370" class="texatom"><span id="MathJax-Span-371" class="mrow"><span id="MathJax-Span-372" class="mi">a<span id="MathJax-Span-373" class="mi">b<span id="MathJax-Span-374" class="mo">=<span id="MathJax-Span-375" class="mo">(<span id="MathJax-Span-376" class="msubsup"><span id="MathJax-Span-377" class="mi">g<span id="MathJax-Span-378" class="mi">a<span id="MathJax-Span-379" class="msubsup"><span id="MathJax-Span-380" class="mo">)<span id="MathJax-Span-381" class="mi">b<span id="MathJax-Span-382" class="mo">=<span id="MathJax-Span-383" class="mo">(<span id="MathJax-Span-384" class="msubsup"><span id="MathJax-Span-385" class="mi">g<span id="MathJax-Span-386" class="mi">b<span id="MathJax-Span-387" class="msubsup"><span id="MathJax-Span-388" class="mo">)<span id="MathJax-Span-389" class="mi">a by raising what they received from the other party to power of their own secret integer.
Alice 和 Bob 都 <span id="MathJax-Span-367" class="mrow"><span id="MathJax-Span-368" class="msubsup"><span id="MathJax-Span-369" class="mi">g<span id="MathJax-Span-370" class="texatom"><span id="MathJax-Span-371" class="mrow"><span id="MathJax-Span-372" class="mi">a<span id="MathJax-Span-373" class="mi">b<span id="MathJax-Span-374" class="mo">=<span id="MathJax-Span-375" class="mo">(<span id="MathJax-Span-376" class="msubsup"><span id="MathJax-Span-377" class="mi">g<span id="MathJax-Span-378" class="mi">a<span id="MathJax-Span-379" class="msubsup"><span id="MathJax-Span-380" class="mo">)<span id="MathJax-Span-381" class="mi">b<span id="MathJax-Span-382" class="mo">=<span id="MathJax-Span-383" class="mo">(<span id="MathJax-Span-384" class="msubsup"><span id="MathJax-Span-385" class="mi">g<span id="MathJax-Span-386" class="mi">b<span id="MathJax-Span-387" class="msubsup"><span id="MathJax-Span-388" class="mo">)<span id="MathJax-Span-389" class="mi">a 通过将他们从对方那里得到的东西提高到他们自己的秘密整数的幂来计算。
现在 <span id="MathJax-Span-391" class="mrow"><span id="MathJax-Span-392" class="msubsup"><span id="MathJax-Span-393" class="mi">g<span id="MathJax-Span-394" class="texatom"><span id="MathJax-Span-395" class="mrow"><span id="MathJax-Span-396" class="mi">a<span id="MathJax-Span-397" class="mi">b 是一个密钥,可用于 Alice 和 Bob 的对称加密和解密。但是有人在听交流时,他们拥有 <span id="MathJax-Span-399" class="mrow"><span id="MathJax-Span-400" class="mi">G 、 <span id="MathJax-Span-402" class="mrow"><span id="MathJax-Span-403" class="mi">g <span id="MathJax-Span-405" class="mrow"><span id="MathJax-Span-406" class="msubsup"><span id="MathJax-Span-407" class="mi">g<span id="MathJax-Span-408" class="mi">a 和 <span id="MathJax-Span-410" class="mrow"><span id="MathJax-Span-411" class="msubsup"><span id="MathJax-Span-412" class="mi">g<span id="MathJax-Span-413" class="mi">b 。因此,密钥 <span id="MathJax-Span-415" class="mrow"><span id="MathJax-Span-416" class="msubsup"><span id="MathJax-Span-417" class="mi">g<span id="MathJax-Span-418" class="texatom"><span id="MathJax-Span-419" class="mrow"><span id="MathJax-Span-420" class="mi">a<span id="MathJax-Span-421" class="mi">b 的保密性取决于这个问题,称为计算 Diffie-Hellman 问题 (CDH):
Given <span id="MathJax-Span-423" class="mrow"><span id="MathJax-Span-424" class="mi">G, <span id="MathJax-Span-426" class="mrow"><span id="MathJax-Span-427" class="mi">g, <span id="MathJax-Span-429" class="mrow"><span id="MathJax-Span-430" class="msubsup"><span id="MathJax-Span-431" class="mi">g<span id="MathJax-Span-432" class="mi">a and <span id="MathJax-Span-434" class="mrow"><span id="MathJax-Span-435" class="msubsup"><span id="MathJax-Span-436" class="mi">g<span id="MathJax-Span-437" class="mi">b, find <span id="MathJax-Span-439" class="mrow"><span id="MathJax-Span-440" class="msubsup"><span id="MathJax-Span-441" class="mi">g<span id="MathJax-Span-442" class="texatom"><span id="MathJax-Span-443" class="mrow"><span id="MathJax-Span-444" class="mi">a<span id="MathJax-Span-445" class="mi">b.
给定 <span id="MathJax-Span-423" class="mrow"><span id="MathJax-Span-424" class="mi">G 、 <span id="MathJax-Span-426" class="mrow"><span id="MathJax-Span-427" class="mi">g <span id="MathJax-Span-429" class="mrow"><span id="MathJax-Span-430" class="msubsup"><span id="MathJax-Span-431" class="mi">g<span id="MathJax-Span-432" class="mi">a 和 <span id="MathJax-Span-434" class="mrow"><span id="MathJax-Span-435" class="msubsup"><span id="MathJax-Span-436" class="mi">g<span id="MathJax-Span-437" class="mi">b ,找到 <span id="MathJax-Span-439" class="mrow"><span id="MathJax-Span-440" class="msubsup"><span id="MathJax-Span-441" class="mi">g<span id="MathJax-Span-442" class="texatom"><span id="MathJax-Span-443" class="mrow"><span id="MathJax-Span-444" class="mi">a<span id="MathJax-Span-445" class="mi">b 。
给定 <span id="MathJax-Span-423" class="mrow"><span id="MathJax-Span-424" class="mi">G 、 <span id="MathJax-Span-426" class="mrow"><span id="MathJax-Span-427" class="mi">g <span id="MathJax-Span-429" class="mrow"><span id="MathJax-Span-430" class="msubsup"><span id="MathJax-Span-431" class="mi">g<span id="MathJax-Span-432" class="mi">a 和 <span id="MathJax-Span-434" class="mrow"><span id="MathJax-Span-435" class="msubsup"><span id="MathJax-Span-436" class="mi">g<span id="MathJax-Span-437" class="mi">b ,找到 <span id="MathJax-Span-439" class="mrow"><span id="MathJax-Span-440" class="msubsup"><span id="MathJax-Span-441" class="mi">g<span id="MathJax-Span-442" class="texatom"><span id="MathJax-Span-443" class="mrow"><span id="MathJax-Span-444" class="mi">a<span id="MathJax-Span-445" class="mi">b 。
CDH is clearly related to DLP, but which is harder? Well, if I can solve DLP then I can efficiently compute the secret integer <span id="MathJax-Span-447" class="mrow"><span id="MathJax-Span-448" class="mi">a from <span id="MathJax-Span-450" class="mrow"><span id="MathJax-Span-451" class="msubsup"><span id="MathJax-Span-452" class="mi">g<span id="MathJax-Span-453" class="mi">a and then find <span id="MathJax-Span-455" class="mrow"><span id="MathJax-Span-456" class="msubsup"><span id="MathJax-Span-457" class="mi">g<span id="MathJax-Span-458" class="texatom"><span id="MathJax-Span-459" class="mrow"><span id="MathJax-Span-460" class="mi">a<span id="MathJax-Span-461" class="mi">b by raising <span id="MathJax-Span-463" class="mrow"><span id="MathJax-Span-464" class="msubsup"><span id="MathJax-Span-465" class="mi">g<span id="MathJax-Span-466" class="texatom"><span id="MathJax-Span-467" class="mrow"><span id="MathJax-Span-468" class="mi">b to the power <span id="MathJax-Span-470" class="mrow"><span id="MathJax-Span-471" class="mi">a in the same way Alice does, therefore solving CDH. So anyone who can solve DLP can also solve CDH, meaning DLP is at least as hard as CDH.
CDH 显然与 DLP 有关,但哪个更难?好吧,如果我能解决 DLP,那么我就可以有效地 <span id="MathJax-Span-447" class="mrow"><span id="MathJax-Span-448" class="mi">a 计算秘密整数, <span id="MathJax-Span-450" class="mrow"><span id="MathJax-Span-451" class="msubsup"><span id="MathJax-Span-452" class="mi">g<span id="MathJax-Span-453" class="mi">a 然后以与 Alice 相同的方式通过提高到 <span id="MathJax-Span-463" class="mrow"><span id="MathJax-Span-464" class="msubsup"><span id="MathJax-Span-465" class="mi">g<span id="MathJax-Span-466" class="texatom"><span id="MathJax-Span-467" class="mrow"><span id="MathJax-Span-468" class="mi">b 幂 <span id="MathJax-Span-470" class="mrow"><span id="MathJax-Span-471" class="mi">a 来找到 <span id="MathJax-Span-455" class="mrow"><span id="MathJax-Span-456" class="msubsup"><span id="MathJax-Span-457" class="mi">g<span id="MathJax-Span-458" class="texatom"><span id="MathJax-Span-459" class="mrow"><span id="MathJax-Span-460" class="mi">a<span id="MathJax-Span-461" class="mi">b ,从而解决 CDH。所以任何能解决DLP的人也可以解决CDH,这意味着DLP至少和CDH一样难。
The Decisional Diffie-Hellman Problem (DDH)
决策 Diffie-Hellman 问题 (DDH)
This is another 'discrete logarithm' style problem used to prove indistinguishability properties. Say Alice and Bob perform the Diffie-Hellman key agreement protocol as above so that <span id="MathJax-Span-473" class="mrow"><span id="MathJax-Span-474" class="mi">G, <span id="MathJax-Span-476" class="mrow"><span id="MathJax-Span-477" class="mi">g, <span id="MathJax-Span-479" class="mrow"><span id="MathJax-Span-480" class="msubsup"><span id="MathJax-Span-481" class="mi">g<span id="MathJax-Span-482" class="mi">a and <span id="MathJax-Span-484" class="mrow"><span id="MathJax-Span-485" class="msubsup"><span id="MathJax-Span-486" class="mi">g<span id="MathJax-Span-487" class="mi">b are all public and <span id="MathJax-Span-489" class="mrow"><span id="MathJax-Span-490" class="msubsup"><span id="MathJax-Span-491" class="mi">g<span id="MathJax-Span-492" class="texatom"><span id="MathJax-Span-493" class="mrow"><span id="MathJax-Span-494" class="mi">a<span id="MathJax-Span-495" class="mi">b is the shared secret key. Intuitively, the Decisional Diffie-Hellman Problem (DDH) asks whether an adversary can distinguish Alice and Bob's secret key <span id="MathJax-Span-497" class="mrow"><span id="MathJax-Span-498" class="msubsup"><span id="MathJax-Span-499" class="mi">g<span id="MathJax-Span-500" class="texatom"><span id="MathJax-Span-501" class="mrow"><span id="MathJax-Span-502" class="mi">a<span id="MathJax-Span-503" class="mi">b from a random group element of <span id="MathJax-Span-505" class="mrow"><span id="MathJax-Span-506" class="mi">G. Formally:
这是另一个“离散对数”风格的问题,用于证明不可区分性。假设 Alice 和 Bob 执行如上所述的 Diffie-Hellman 密钥协议,因此 <span id="MathJax-Span-473" class="mrow"><span id="MathJax-Span-474" class="mi">G 、 <span id="MathJax-Span-476" class="mrow"><span id="MathJax-Span-477" class="mi">g <span id="MathJax-Span-479" class="mrow"><span id="MathJax-Span-480" class="msubsup"><span id="MathJax-Span-481" class="mi">g<span id="MathJax-Span-482" class="mi">a 和 <span id="MathJax-Span-484" class="mrow"><span id="MathJax-Span-485" class="msubsup"><span id="MathJax-Span-486" class="mi">g<span id="MathJax-Span-487" class="mi">b 都是公共的,并且是 <span id="MathJax-Span-489" class="mrow"><span id="MathJax-Span-490" class="msubsup"><span id="MathJax-Span-491" class="mi">g<span id="MathJax-Span-492" class="texatom"><span id="MathJax-Span-493" class="mrow"><span id="MathJax-Span-494" class="mi">a<span id="MathJax-Span-495" class="mi">b 共享的密钥。直观地说,决策 Diffie-Hellman 问题 (DDH) 询问对手是否可以将 Alice 和 Bob 的密钥 <span id="MathJax-Span-497" class="mrow"><span id="MathJax-Span-498" class="msubsup"><span id="MathJax-Span-499" class="mi">g<span id="MathJax-Span-500" class="texatom"><span id="MathJax-Span-501" class="mrow"><span id="MathJax-Span-502" class="mi">a<span id="MathJax-Span-503" class="mi">b 与随机 <span id="MathJax-Span-505" class="mrow"><span id="MathJax-Span-506" class="mi">G 组元素区分开来。正式:
Given <span id="MathJax-Span-508" class="mrow"><span id="MathJax-Span-509" class="mi">G, <span id="MathJax-Span-511" class="mrow"><span id="MathJax-Span-512" class="mi">g, <span id="MathJax-Span-514" class="mrow"><span id="MathJax-Span-515" class="msubsup"><span id="MathJax-Span-516" class="mi">g<span id="MathJax-Span-517" class="mi">a, <span id="MathJax-Span-519" class="mrow"><span id="MathJax-Span-520" class="msubsup"><span id="MathJax-Span-521" class="mi">g<span id="MathJax-Span-522" class="mi">b and <span id="MathJax-Span-524" class="mrow"><span id="MathJax-Span-525" class="msubsup"><span id="MathJax-Span-526" class="mi">T<span id="MathJax-Span-527" class="mi">x such that <span id="MathJax-Span-529" class="mrow"><span id="MathJax-Span-530" class="msubsup"><span id="MathJax-Span-531" class="mi">T<span id="MathJax-Span-532" class="mn">0 is a random element of <span id="MathJax-Span-534" class="mrow"><span id="MathJax-Span-535" class="mi">G, <span id="MathJax-Span-537" class="mrow"><span id="MathJax-Span-538" class="msubsup"><span id="MathJax-Span-539" class="mi">T<span id="MathJax-Span-540" class="mn">1<span id="MathJax-Span-541" class="mo">=<span id="MathJax-Span-542" class="msubsup"><span id="MathJax-Span-543" class="mi">g<span id="MathJax-Span-544" class="texatom"><span id="MathJax-Span-545" class="mrow"><span id="MathJax-Span-546" class="mi">a<span id="MathJax-Span-547" class="mi">b and <span id="MathJax-Span-549" class="mrow"><span id="MathJax-Span-550" class="mi">x is chosen uniformly at random from <span id="MathJax-Span-552" class="mrow"><span id="MathJax-Span-553" class="mo">{<span id="MathJax-Span-554" class="mn">0<span id="MathJax-Span-555" class="mo">,<span id="MathJax-Span-556" class="mn">1<span id="MathJax-Span-557" class="mo">}, find <span id="MathJax-Span-559" class="mrow"><span id="MathJax-Span-560" class="mi">x.
给定 <span id="MathJax-Span-508" class="mrow"><span id="MathJax-Span-509" class="mi">G 、 <span id="MathJax-Span-511" class="mrow"><span id="MathJax-Span-512" class="mi">g 、 <span id="MathJax-Span-514" class="mrow"><span id="MathJax-Span-515" class="msubsup"><span id="MathJax-Span-516" class="mi">g<span id="MathJax-Span-517" class="mi">a <span id="MathJax-Span-519" class="mrow"><span id="MathJax-Span-520" class="msubsup"><span id="MathJax-Span-521" class="mi">g<span id="MathJax-Span-522" class="mi">b 等 <span id="MathJax-Span-524" class="mrow"><span id="MathJax-Span-525" class="msubsup"><span id="MathJax-Span-526" class="mi">T<span id="MathJax-Span-527" class="mi">x <span id="MathJax-Span-529" class="mrow"><span id="MathJax-Span-530" class="msubsup"><span id="MathJax-Span-531" class="mi">T<span id="MathJax-Span-532" class="mn">0 是 的 <span id="MathJax-Span-534" class="mrow"><span id="MathJax-Span-535" class="mi">G 随机元素, <span id="MathJax-Span-537" class="mrow"><span id="MathJax-Span-538" class="msubsup"><span id="MathJax-Span-539" class="mi">T<span id="MathJax-Span-540" class="mn">1<span id="MathJax-Span-541" class="mo">=<span id="MathJax-Span-542" class="msubsup"><span id="MathJax-Span-543" class="mi">g<span id="MathJax-Span-544" class="texatom"><span id="MathJax-Span-545" class="mrow"><span id="MathJax-Span-546" class="mi">a<span id="MathJax-Span-547" class="mi">b 并且 <span id="MathJax-Span-549" class="mrow"><span id="MathJax-Span-550" class="mi">x 从 <span id="MathJax-Span-552" class="mrow"><span id="MathJax-Span-553" class="mo">{<span id="MathJax-Span-554" class="mn">0<span id="MathJax-Span-555" class="mo">,<span id="MathJax-Span-556" class="mn">1<span id="MathJax-Span-557" class="mo">} 中随机均匀选择,找到 <span id="MathJax-Span-559" class="mrow"><span id="MathJax-Span-560" class="mi">x 。
If an adversary can solve DDH (i.e. output the correct value of <span id="MathJax-Span-562" class="mrow"><span id="MathJax-Span-563" class="mi">x with probability greater than <span id="MathJax-Span-565" class="mrow"><span id="MathJax-Span-566" class="mfrac"><span id="MathJax-Span-567" class="mn">1<span id="MathJax-Span-568" class="mn">2), then <span id="MathJax-Span-570" class="mrow"><span id="MathJax-Span-571" class="mi">G, <span id="MathJax-Span-573" class="mrow"><span id="MathJax-Span-574" class="mi">g, <span id="MathJax-Span-576" class="mrow"><span id="MathJax-Span-577" class="msubsup"><span id="MathJax-Span-578" class="mi">g<span id="MathJax-Span-579" class="mi">a and <span id="MathJax-Span-581" class="mrow"><span id="MathJax-Span-582" class="msubsup"><span id="MathJax-Span-583" class="mi">g<span id="MathJax-Span-584" class="mi">b must leak some information about the secret key <span id="MathJax-Span-586" class="mrow"><span id="MathJax-Span-587" class="msubsup"><span id="MathJax-Span-588" class="mi">g<span id="MathJax-Span-589" class="texatom"><span id="MathJax-Span-590" class="mrow"><span id="MathJax-Span-591" class="mi">a<span id="MathJax-Span-592" class="mi">b that distinguishes it from a random group element, even if it can't be computed directly. What should be clear is that if the adversary can solve the computational Diffie-Hellman problem, then they can actually compute <span id="MathJax-Span-594" class="mrow"><span id="MathJax-Span-595" class="msubsup"><span id="MathJax-Span-596" class="mi">g<span id="MathJax-Span-597" class="texatom"><span id="MathJax-Span-598" class="mrow"><span id="MathJax-Span-599" class="mi">a<span id="MathJax-Span-600" class="mi">b and hence trivially distinguish this element from a random group element, thereby solving the decisional Diffie-Hellman problem. So anyone who can solve CDH can also solve DDH, meaning CDH is at least as hard as DDH.给定 <span id="MathJax-Span-508" class="mrow"><span id="MathJax-Span-509" class="mi">G 、 <span id="MathJax-Span-511" class="mrow"><span id="MathJax-Span-512" class="mi">g 、 <span id="MathJax-Span-514" class="mrow"><span id="MathJax-Span-515" class="msubsup"><span id="MathJax-Span-516" class="mi">g<span id="MathJax-Span-517" class="mi">a <span id="MathJax-Span-519" class="mrow"><span id="MathJax-Span-520" class="msubsup"><span id="MathJax-Span-521" class="mi">g<span id="MathJax-Span-522" class="mi">b 等 <span id="MathJax-Span-524" class="mrow"><span id="MathJax-Span-525" class="msubsup"><span id="MathJax-Span-526" class="mi">T<span id="MathJax-Span-527" class="mi">x <span id="MathJax-Span-529" class="mrow"><span id="MathJax-Span-530" class="msubsup"><span id="MathJax-Span-531" class="mi">T<span id="MathJax-Span-532" class="mn">0 是 的 <span id="MathJax-Span-534" class="mrow"><span id="MathJax-Span-535" class="mi">G 随机元素, <span id="MathJax-Span-537" class="mrow"><span id="MathJax-Span-538" class="msubsup"><span id="MathJax-Span-539" class="mi">T<span id="MathJax-Span-540" class="mn">1<span id="MathJax-Span-541" class="mo">=<span id="MathJax-Span-542" class="msubsup"><span id="MathJax-Span-543" class="mi">g<span id="MathJax-Span-544" class="texatom"><span id="MathJax-Span-545" class="mrow"><span id="MathJax-Span-546" class="mi">a<span id="MathJax-Span-547" class="mi">b 并且 <span id="MathJax-Span-549" class="mrow"><span id="MathJax-Span-550" class="mi">x 从 <span id="MathJax-Span-552" class="mrow"><span id="MathJax-Span-553" class="mo">{<span id="MathJax-Span-554" class="mn">0<span id="MathJax-Span-555" class="mo">,<span id="MathJax-Span-556" class="mn">1<span id="MathJax-Span-557" class="mo">} 中随机均匀选择,找到 <span id="MathJax-Span-559" class="mrow"><span id="MathJax-Span-560" class="mi">x 。
如果攻击者可以求解 DDH(即输出概率大于 的正确值 <span id="MathJax-Span-562" class="mrow"><span id="MathJax-Span-563" class="mi">x ),那么 <span id="MathJax-Span-570" class="mrow"><span id="MathJax-Span-571" class="mi">G , <span id="MathJax-Span-573" class="mrow"><span id="MathJax-Span-574" class="mi">g <span id="MathJax-Span-576" class="mrow"><span id="MathJax-Span-577" class="msubsup"><span id="MathJax-Span-578" class="mi">g<span id="MathJax-Span-579" class="mi">a , 并且 <span id="MathJax-Span-581" class="mrow"><span id="MathJax-Span-582" class="msubsup"><span id="MathJax-Span-583" class="mi">g<span id="MathJax-Span-584" class="mi">b 必须泄露一些关于将其与随机组元素区分开来的密钥 <span id="MathJax-Span-586" class="mrow"><span id="MathJax-Span-587" class="msubsup"><span id="MathJax-Span-588" class="mi">g<span id="MathJax-Span-589" class="texatom"><span id="MathJax-Span-590" class="mrow"><span id="MathJax-Span-591" class="mi">a<span id="MathJax-Span-592" class="mi">b 的信息,即使它不能直接计算。 <span id="MathJax-Span-565" class="mrow"><span id="MathJax-Span-566" class="mfrac"><span id="MathJax-Span-567" class="mn">1<span id="MathJax-Span-568" class="mn">2 应该清楚的是,如果对手能够解决计算的 Diffie-Hellman 问题,那么他们实际上可以计算 <span id="MathJax-Span-594" class="mrow"><span id="MathJax-Span-595" class="msubsup"><span id="MathJax-Span-596" class="mi">g<span id="MathJax-Span-597" class="texatom"><span id="MathJax-Span-598" class="mrow"><span id="MathJax-Span-599" class="mi">a<span id="MathJax-Span-600" class="mi">b 并因此轻松地将该元素与随机群元素区分开来,从而解决决策 Diffie-Hellman 问题。所以任何能解决 CDH 的人也可以解决 DDH,这意味着 CDH 至少和 DDH 一样难。
These are the three problems we wanted to talk about and we've given a sketch proof of their ordering in terms of hardness: DLP is the most hard, then CDH and then DDH. As we've seen, DLP is sometimes easy, making CDH and DDH easy. So the choice of group <span id="MathJax-Span-602" class="mrow"><span id="MathJax-Span-603" class="mi">G and generator <span id="MathJax-Span-605" class="mrow"><span id="MathJax-Span-606" class="mi">g is very important when doing cryptography!
这是我们想要讨论的三个问题,我们已经给出了它们在硬度方面的排序的草图证明:DLP 是最硬的,然后是 CDH,然后是 DDH。正如我们所看到的,DLP 有时很容易,使 CDH 和 DDH 变得容易。所以在做密码学的时候,组 <span id="MathJax-Span-602" class="mrow"><span id="MathJax-Span-603" class="mi">G 和生成器 <span id="MathJax-Span-605" class="mrow"><span id="MathJax-Span-606" class="mi">g 的选择是非常重要的!
The Working Class Must Lead!